DEV Community

amalkabraham001
amalkabraham001

Posted on

Create and Configure Azure Files using Microsoft Entra Kerberos authentication for AVD deployment.

Let us learn how to create and configure Azure files to use Microsoft Entra Kerberos authentication.
This configuration allows you to store FSLogix profiles that can be accessed by hybrid user identities from Microsoft Entra joined or Microsoft Entra hybrid joined session hosts without requiring network line-of-sight to domain controllers. Microsoft Entra Kerberos enables Microsoft Entra ID to issue the necessary Kerberos tickets to access the file share with the industry-standard SMB protocol.
The below diagram gives a logical representation of the AVD infrastructure leveraging Entra ID.

Logical Diagram

Key Considerations

  1. Make sure your user identities are hybrid identities and not cloud only accounts.

  2. OS Should be Windows 10 Enterprise Single/Multi session 2004 or later.

  3. Windows 11 Enterprise Single/Multi session

  4. Windows Server 2022

Configure AAD join for Azure Files

The first step is to enable identity based access to your file share.
Create a standard or Premium azure files.
Navigate to the newly created storage account-->File share.
Click on Configure in the identity based access under file share settings.
Configure option
In the Identity based access configuration window, click on setup under "Microsoft entra Kerberos".

Image description
Tick the box next to Microsoft Entra Kerberos to enable the entra based authentication.

Image description

Alternatively you can configure the on-premise domain name and GUID for configuring the directory and file level (NTFS) permissions.
Image description

Set Share level permissions

The next step is to configure share level permissions from the same file share settings windows. To Configure Storage File data SMB share reader permissions to specific users, an administrator need to leverage the azure RBAC roles.
To configure the read only access to all authenticated users, toggle to the "Storage File Data SMB Share Reader" option as shown in the below screenshot.

Image description

Configure NTFS Permissions

Inoder to configure NTFS Permissions, connect to the storage account from a domain joined machine using storage key.

Connect using Storage Key

Configure the security permissions as per the Microsoft recommendation for FSLogix file shares.

FileShare Permissions

Configure Intune policies for Session Host

The next step is to configure the Intune policy to Allow retrieving the cloud kerberos ticket during the logon using OMA settings.

  1. Configure the below Intune Policy CSP and apply it to the session host: Kerberos/CloudKerberosTicketRetrievalEnabled. Navigate to Intune portal-->Devices-->configuration profiles. Click on New policy.

New Policy
In the new policy settings screen, select the OS as windows 10 and above.Select the profile type as templates. Select custom from the drop down menu.

Custom policy
Provide a name for the policy and click next. Under the configuration settings, click on Add
Image description
The OMA URI can be find from the "Kerberos/CloudKerberosTicketRetrievalEnabled" policy settings URL given above.
OMA URI

Provide a name, OMA URI path,data type as Integer and value as 1.

OMA Configuration
Under the assignment tab, scope it to the AVD desktops.

Note:- This policy will not work for multi session desktops. Use Registry to configure this setting instead.
Polciy assignment

  1. The next settings is to configure the registry settings to enable credential keys. When you use Microsoft Entra ID with a roaming profile solution like FSLogix, the credential keys in Credential Manager must belong to the profile that's currently loading. This will let you load your profile on many different VMs instead of being limited to just one. To enable this setting, create a new registry value by running the following command:

reg add HKLM\Software\Policies\Microsoft\AzureADAccount /v LoadCredKeyFromProfile /t REG_DWORD /d 1

Configure the FSLogix Profile

The next step is to configure the FSLogix profile using Intune policy. I am not adding the steps here assuming that you already know how to configure the FSLogix settings using Intune.

Validate the settings

The final part is to validate your configuration by connecting to an AVD desktop. Ensure the profile is getting created in the Azure Files. If you are facing issues, please review the fslogix logs from the event viewer.

Top comments (0)